LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 08-23-2008, 05:09 PM   #1
nephish
Member
 
Registered: Jun 2005
Distribution: arch, ubuntu
Posts: 456

Rep: Reputation: 30
help determine if I was hacked


Hey there all,
i run a data processing station that gets info automatically via email. So i have a user set up and in my software, i have the user log in (dovecot) and check the email and process anything there. There are actually two users on the system that do this.
Today, both lost permission to check their Maildir.
I can't find anything in the auth log that looks suspicious, or the .bash_history of either user. Not even the main user of the system.
The way it got fixed was with a sudo chown mailuser /home/mailuser -R

I don't get what could have don't this. I have not been running any maintenance or anything else, it has just been happy running along.

Is this a cracker that did something?
Has anyone seen this before?

thanks for any tips, i wonder if it's ok to breathe now, or if it will happen again.

thanks
 
Old 08-23-2008, 05:16 PM   #2
amani
Senior Member
 
Registered: Jul 2006
Location: Kolkata, India
Distribution: 64-bit GNU/Linux, Kubuntu64, Fedora QA, Slackware,
Posts: 2,758

Rep: Reputation: Disabled
Run rkhunter

chkrootkit

You will need to check system logs, web logs.

There are tools like snort for the purpose. Why did you not install it?

see a full manual/book
 
Old 08-23-2008, 05:47 PM   #3
nephish
Member
 
Registered: Jun 2005
Distribution: arch, ubuntu
Posts: 456

Original Poster
Rep: Reputation: 30
well, i have never heard much about them. I havn't really looked though. I don't run anything as root, i pay attention to what recommended permissions to set, what services are ok, and not ok... just never had any trouble in the past three years. I am kinda new at this, still, i guess this serves as an ample wake up call.
thanks
 
Old 08-23-2008, 06:28 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Soze for recycling posts but have a look at my first post here please: http://www.linuxquestions.org/questi...server-664871/
 
Old 08-23-2008, 06:32 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Quote:
Originally Posted by amani View Post
see a full manual/book
While people should have a basic understanding of what their system comprises of I don't mark (perceived) incidents, possible breaches of security, as something warranting a generic RTF(ine)M type of answer. Next time you or anyone encounters such a thread, if you can't manage to put in a more detailed response, I'd appreciate it if you point to 0) the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/ and 1) the Linux Security forum. TIA
 
Old 08-23-2008, 06:49 PM   #6
nephish
Member
 
Registered: Jun 2005
Distribution: arch, ubuntu
Posts: 456

Original Poster
Rep: Reputation: 30
Great response, and great link, unSpawn.
thanks for that.
 
Old 08-23-2008, 07:00 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
No need to thank me: we're here to help. BTW I saw a move request for this thread to the Linux Security forum so hopefully it'll materialise there RSN.
 
Old 08-23-2008, 09:01 PM   #8
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Sometimes things just happen by accident. I don't know which distro you have this running on. Usually the package system has a command that will validate a package. This might help you determine whether files or directories have the wrong permissions.

For an rpm based system you could use: rpm -qf <path/to/file>
to determine which package supplies a file or directory and then
rpm -qV <packagename>
to validate it.

I think that debian based systems have a similar command.
 
Old 08-23-2008, 09:57 PM   #9
amani
Senior Member
 
Registered: Jul 2006
Location: Kolkata, India
Distribution: 64-bit GNU/Linux, Kubuntu64, Fedora QA, Slackware,
Posts: 2,758

Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn View Post
...I'd appreciate it if you point to 0) the Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/ and 1) the Linux Security forum. TIA
Yes, that will help. The LQ wiki can be updated with more links too.
http://wiki.linuxquestions.org/wiki/...ecurity_Basics
 
Old 08-23-2008, 10:05 PM   #10
nephish
Member
 
Registered: Jun 2005
Distribution: arch, ubuntu
Posts: 456

Original Poster
Rep: Reputation: 30
little update here guys,
I am running a debian system, well, ubuntu Gutsy. The system has been in place for quite a while, months. This is the first time this has happened.
After i rewrote the permissions on the logs, i have not had a problem and it has been now a few hours.

So, maybe someone or some script-kiddie got in, but they didn't do much if they did, and left no tracks that i can find in any logs.

thanks for the advice to all, thank God it was ok this time..

i just put in an order at Amazon.com, i would feel even more like an idiot next time.

sk
 
Old 08-24-2008, 08:01 AM   #11
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,311
Blog Entries: 54

Rep: Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860Reputation: 2860
Quote:
Originally Posted by jschiwal View Post
Sometimes things just happen by accident.
In terms of perception and how to act on things I agree with that. Kinda Hanlon's razor thing, right?


Quote:
Originally Posted by amani View Post
The LQ wiki can be updated with more links too.
Good you mentioned that. If you would be willing to help out with that Wiki page that would be most welcome...


Quote:
Originally Posted by nephish View Post
So, maybe someone or some script-kiddie got in, but they didn't do much if they did, and left no tracks that i can find in any logs.
Personally I don't like "maybe" and then leave things dangling. There either was or there was no breach. You trust the machine's integrity completely or you don't. So, if you would like us to provide a second opinion then posting a more detailed account of what you checked would be a nice start...
 
Old 08-24-2008, 11:00 AM   #12
nephish
Member
 
Registered: Jun 2005
Distribution: arch, ubuntu
Posts: 456

Original Poster
Rep: Reputation: 30
hey,
read up on and installed rkhunter. After it's update and run, everything looked good. I don't sleep well with something like this dangling either.

Thanks to all.
 
  


Reply

Tags
mail, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How do i determine my IP address? How do i determine my host name? jwymore Linux - Networking 5 02-07-2007 09:57 AM
I think I've been hacked :( suavecu Linux - Security 5 11-23-2006 11:51 PM
Have I been hacked? PAB Linux - Security 3 04-18-2005 06:21 PM
Was I Hacked??? treedstang Linux - Security 2 05-20-2004 09:41 AM
Hacked? BajaNick Linux - Security 16 09-20-2003 01:46 PM


All times are GMT -5. The time now is 07:42 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration